[Openstack] RDO: IPtables with DNAT
Remo Mattei
Remo at Italy1.com
Thu Feb 4 16:05:53 UTC 2016
I agree with Brian
Let neutron do all the work and now those rules are in the namespace. Therefore I would suggest to try and let all the services do their job and see it that works
Inviato da iPhone
> Il giorno 04 feb 2016, alle ore 06:56, Brian Haley <brian.haley at hpe.com> ha scritto:
>
>> On 02/04/2016 07:05 AM, Kamen Tarlov wrote:
>> Hello,
>>
>> We have a single node installation with RDO Kilo release. Network configuration
>> consist of 2 private networks and one of them is floating. Networks are routed
>> just inside the node. The problem I`m facing is when I try to configure the
>> DNAT rules to reroute the traffic/ports to VM. Initially the traffic to VM works
>> fine until neutron reorders the rules on top:
>>
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> neutron-openvswi-PREROUTING all -- anywhere anywhere
>> nova-api-PREROUTING all -- anywhere anywhere
>>
>> Is there any way I can prevent this or set them with lower priority?
>
> I guess my first question is, why are you manually adding DNAT rules? Why aren't you letting Neutron manage iptables for the VMs? You would need to give more information on the exact rule you are trying to add to help make things clearer.
>
> As a rule of thumb, it's a bad idea to try and add/remove iptables rules while Neutron agents are running, you will eventually find yourself in a race condition where rules are missing and things don't work. If you need to add a rule I would recommend doing it before the agents are started, that way it will get left alone.
>
> -Brian
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> !DSPAM:1,56b3696676807417054422!
>
More information about the Openstack
mailing list